TechBizWebTechBizWeb

    Subscribe to Updates

    Get the latest news about Technology and Business from all around the web..

    What's Hot

    Missile strikes rekindle fear among Kyivans as Moscow renews attacks

    July 2, 2022

    FTX agrees deal with option to buy BlockFi for up to $240mn

    July 2, 2022

    The end of the frictionless life

    July 2, 2022
    Facebook Twitter Instagram
    • About Us
    • Privacy Policy
    • Guest Post
    • Terms
    • Contact
    Facebook Twitter Instagram
    TechBizWebTechBizWeb
    Subscribe
    • Home
    • Technology

      Twitch is testing channel surfing

      July 2, 2022

      You can now play the “all your base are belong to us” game on your Switch

      July 2, 2022

      There’s a better way to bypass Windows 11 install restrictions

      July 2, 2022

      What is the best controller for Xbox consoles?

      July 1, 2022

      The GPU shortage is over

      July 1, 2022
    • Business
    • Cyber Security

      Tips to bolster cybersecurity, incident response this 4th of July weekend

      July 1, 2022

      Jon Raper named CISO at Costco

      July 1, 2022

      2022 RSAC takeaways: Risk management vs compliance

      July 1, 2022

      3 security lessons we haven’t learned from the Kaseya breach

      July 1, 2022

      Auston Davis named CISO at Versant Health

      June 30, 2022
    • Blockchain
    • Vulnerabilities
    • Social Engineering
    • Malware
    • Cyber Security Alerts
    TechBizWebTechBizWeb
    Home»Cyber Security»Data shows regulatory password compliance falls short
    Cyber Security

    Data shows regulatory password compliance falls short

    May 27, 2022Updated:May 27, 2022No Comments5 Mins Read
    Facebook Twitter Pinterest LinkedIn Tumblr WhatsApp
    Share
    Facebook Twitter LinkedIn Pinterest Email

    Organizations of all kinds look to regulatory recommendations and standards for guidance on constructing a secure password policy for their networks. However, new research shows that regulatory password complexity and construction recommendations are insufficient. 

    According to the Specops research, which analyzed over 800 million known compromised passwords, up to 83% of passwords that appear in compromised password databases would otherwise satisfy regulatory password standards. The team compared the construction rules of five different standards against a dataset of 800 million compromised passwords.

     

    The following regulatory standard rules were investigated:

    1. NIST
    2. HITRUST for HIPAA
    3. PCI
    4. ICO for GDPR
    5. Cyber Essentials for NCSC

     

    Quite a few of these standards include a recommendation or requirement to also use a known compromised password list to prevent the use of breached passwords, and for a good reason. The following chart shows what percent of the known compromised password dataset would otherwise fulfill regulatory recommendations.

    Image courtesy of Specops

     

    1. Almost NCSC (Cyber Essentials) Compliant Compromised Passwords

     

    NCSC, the National Cyber Security Centre, is a part of the United Kingdom government that provides advice and support for the public and private sectors on avoiding computer security threats. The NCSC’s approved accreditation scheme, Cyber Essentials, outlines a standardized baseline for cyber security policies, controls, and technologies. Cyber Essentials is mandatory for government contracts that involve handling personal information, or provisioning certain products and services.

     

    The Cyber Essentials password requirements include:

    1. set a minimum password length of at least 8 characters
    2. do not set a maximum password length
    3. change passwords promptly when suspected they have been compromised

     

    When the Specops team analyzed the compromised password dataset for passwords that are 8 characters or more, they found that 82.98% of the passwords fulfilled that requirement.

     

    Some examples of the nearly 83% otherwise compliant passwords:

    • malcom01
    • maidmarian
    • magvai87magvai87
    • maggie1987
    • madrilena

     

    2. Almost ICO/GDPR Compliant Compromised Passwords

     

    The General Data Protection Regulation (GDPR) requires organizations to take care of protecting EU citizen data and privacy. The regulation provides no specific password guidance, but the Information Commissioner’s Office (ICO), which is responsible for enforcing the regulation, does provide some non-binding guidance, including:

    1. Password length: Minimum length should be 10 characters and there should be no maximum.
    2. Password complexity: Don’t mandate the use of special characters.
    3. Password deny list: Block the use of common and weak passwords.

     

    Screen passwords against a password list of the most commonly used passwords leaked passwords from breaches, and guessable words related to the organization. Update the leaked password list regularly and explain to users why they their passwords have been rejected.

     

    When the Specops team analyzed the compromised password dataset for passwords that would fulfill these recommendations, they found that 43.48% of the compromised passwords would meet the password length standard.

     

    Some samples of the 43% otherwise-compliant compromised passwords:

    • ihatekittens
    • ihatebrent
    • ihateapples
    • igor5062489
    • igor454645

     

    3. Almost HITRUST/HIPAA Compliant Compromised Passwords

     

    Formed in 2007 to fill the gap in the often found to be vague requirements of HIPAA, the Health Information Trust (HITRUST) offers a framework to comply with standards such as ISO/IEC 27000-series and HIPAA. 

     

    Some of the password guidance provided by HITRUST includes:

    1. Minimum of 8 characters
    2. At least 1 upper or lower or number or symbol
    3. Not too many consecutive identical characters

    The Specops team defined “not too many consecutive identical characters” 4 or more, and found 56.87% of the compromised password dataset fulfilled the above guidance.

     

    Some examples of the otherwise-compliant nearly 57% compromised passwords:

    • freedom1321
    • freddie43
    • fortview0122015
    • forrest55
    • foolish16

     

    4. Almost PCI Compliant Compromised Passwords

     

    The major credit card companies – Visa, Mastercard, and American Express – established Payment Card Industry Data Security Standards (PCI DSS) guidelines in 2006 in an effort to protect credit card data from theft. PCI v3 has 12 Requirements; Requirement 8 covers identifying and authenticating access to system components and includes the following password recommendations:

    1. Minimum 7 characters
    2. At least 1 number and one alpha character

     

    The Specops team analyzed the compromised password dataset for passwords that met the above criteria and found that 59.14% of the dataset matched those requirements.

     

    Some samples of the 59% otherwise compliant passwords:

    • 22pink22
    • 21dog657
    • o1livia
    • beatrice.99
    • klippen5            

     

    5. Almost NIST Compliant Compromised Passwords

     

    NIST, the National Institute of Standards and Technology, sets the information security standards for federal agencies (or organizations looking to do business with those agencies) in the United States. Through the NIST Special Publication 800-63B Digital Identity Guidelines, NIST provides best practices related to authentication and password lifecycle management. In this publication, 

     

    NIST outlines several best practices to bolster password security, including:

    1. Minimum password length of 8 characters
    2. Prevent the use of repetitive or incremental passwords
    3. Disallow context-specific words as passwords
    4. Check passwords against breached password lists

     

    The Specops team analyzed the 800 million compromised password dataset for passwords that met a minimum length of 8 characters and did not use repetitive or incremental characters, and found 78.27% of the known compromised password dataset to fulfill those two recommendations. The repetitive/incremental check included looking for character repetition of at least 3 (aaa, bbb, ccc) and sequences of 123, 234 etc. In a real-world setting, context-specific checks such as preventing usernames and business-related words would drive this down further.

     

    Some examples of the 78% otherwise compliant passwords:

    • password1
    • qwertyuiop
    • 1q2w3e4r5t
    • iloveyou
    • myspace1

     

    cyber security GDPR Password risk management
    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email

    Related Posts

    Tips to bolster cybersecurity, incident response this 4th of July weekend

    July 1, 2022 Cyber Security

    Jon Raper named CISO at Costco

    July 1, 2022 Cyber Security

    2022 RSAC takeaways: Risk management vs compliance

    July 1, 2022 Cyber Security

    3 security lessons we haven’t learned from the Kaseya breach

    July 1, 2022 Cyber Security

    Auston Davis named CISO at Versant Health

    June 30, 2022 Cyber Security

    #StopRansomware: MedusaLocker | CISA

    June 30, 2022 Cyber Security Alerts
    Editors Picks

    FTX agrees deal with option to buy BlockFi for up to $240mn

    July 2, 2022

    The end of the frictionless life

    July 2, 2022

    Twitch is testing channel surfing

    July 2, 2022

    You don’t need a crowd for a communal moment

    July 2, 2022
    Trending Now

    Klarna valuation crashes to $6.5bn from $46bn

    By techbizweb

    The GPU shortage is over

    By techbizweb

    Google closes data loophole amid privacy fears over abortion ruling

    By techbizweb

    https://www.nationalsportsacademy.com

    slot gacor hari ini

    http://www.inadesfo.org/

    http://www.eueomgbissau.org/

    http://www.congo-mai-mai.net/

    http://www.angelesdelafrontera.org/

    http://fifaworldcup2018schedule.com/

    http://tony4gtrmcr.co.uk/

    http://www.standrewsagreement.org/

    http://www.bob-russell.co.uk/

    http://davidmulholland.co.uk/

    http://railwayhotelenniskillen.com/

    http://www.fantasysportstrades.com/

    http://www.rainleaf-flooring.com

    http://mothersagainstguns.org/

    http://ma-coc.org/

    slot online

    http://www.paradoxmag.com/situs-judi-slot-online-gampang-menang-2021/

    http://www.paradoxmag.com/situs-judi-slot-online-terbaru-2021/

    http://slot-terbaru.net/

    Slot Gacor

    Slot Online

    Situs Slot Gacor

    http://www.appdexterity.com/

    https://cars4kids-deutschland.de/

    https://www.stretchingculture.com/

    https://www.b-123-hp.com/slot-gacor/

    https://denzstaffing.nl/

    https://ezbbqcooking.com/slot-gacor/

    https://www.mbahelp24.com/slot-gacor

    https://minhtanstore.com/slot-jackpot-terbesar/

    https://njbpusupplierdiversity.com/slot-gacor-gampang-menang/

    https://www.floridaspecialtycropfoundation.org/slot-gampang-menang/

    https://childrenscornerpreschool.org/slot-gacor-gampang-menang/

    https://cryptoquoter.com/slot-online-terbaik/

    https://alorkantho24.com/slot-gacor/

    https://ellas.xyz/slot-gacor/

    https://it.dougamatome.xyz/slot-online/

    https://www.daltercume.com/slot-gacor/

    https://josi-ana.dougamatome.xyz/slot88/

    https://josi-ana.dougamatome.xyz/slot-gacor/

    https://fastobserver.com/slot-jackpot-terbesar/

    https://www.planetexperts.com/slot-gacor/

    https://bfsolution.group/slot-bet-kecil/

    https://rustleva.co/slot/

    https://bfsolution.group/slot-bet-kecil/

    https://www.hotelcalimareal.com/togel-online/

    https://anime-game.dougamatome.xyz/slot-gacor-gampang-menang/

    https://anime-game.dougamatome.xyz/togel-online/

    https://bourbonbarrelfoods.com/slot/

    http://suneo39.wp.xdomain.jp/slot/

    https://techbizweb.com/slot-gacor/

    https://www.generalcatalyst.com/18-daftar-slot-gacor-terbaik-gampang-menang-jackpot-hari-ini/

    https://www.hotelcalimareal.com/slot-online/

    https://www.blockgates.io/slot-gacor/

    https://l12.com.br/slot-gacor/

    slot paling gacor

    https://www.donalds-hobby.com/slot-online/

    https://thecryptodirt.com/slot-gacor-hari-ini/

    http://iseta.edu.ar/aulavirtual/app/upload/users/1/1205/my_files/sbobet.html

    http://escuelavirtual.mincit.gov.co/app/upload/users/1/194/my_files/slot.html

    https://www.dev.medecinesfax.org/courses/JUDICASINO/document/slot.html

    http://www.e-archivos.org/cursos/courses/JUDICASINO/document/slot-gacor.html

    http://iesma.com.br/ead/main/upload/users/4/447/my_files/slot.html

    https://www.fundacoop.org/chamilo/app/upload/users/1/1185/my_files/slot.html

    https://fata-aatf.org/eskola/main/upload/users/3/31/my_files/slot.html

    https://uancv.edu.pe/ofinvestigacion/app/upload/users/3/328/my_files/slot-terlengkap.html

    https://micost.edu.my/EL/app/upload/users/2/209/my_files/slot-gacor.html

    https://www.academiacoderdojo.ro/elearningdev/app/upload/users/2/2442/my_files/slot-online.html

    http://campus-cidci.ulg.ac.be/courses/JUDICASINO/document/slot-termurah.html

    https://www.escueladerobotica.misiones.gob.ar/aula-ste/courses/LIVECASINO/document/slot-tergacor.html

    http://ccdipeepccqqfar.usac.edu.gt/chamilo/app/upload/users/3/358/my_files/slot-online.html

    https://cunori.edu.gt/campus/app/upload/users/7/7334/my_files/slot-online.html

    http://u-rus.com.ar/aula/app/upload/users/1/1322/my_files/slot.html

    http://icrodarisoveria.edu.it/chamilo/app/upload/users/1/1855/my_files/slot.html

    https://iestpliliagutierrez.edu.pe/clarolgm/courses/CASINO/document/slot.html

    http://pva.cobach.edu.mx/app/upload/users/7/7379/my_files/slot.html

    http://www.imb-pc-online.edu.gt/PL/app/upload/users/3/373/my_files/slot.html

    http://avcs.upeu.edu.pe/main/upload/users/3333/my_files/slot.html

    https://chamilo.fca.uas.edu.mx/app/upload/users/1/11186/my_files/slot-online/

    TechBizWeb
    Facebook Twitter Instagram Pinterest Vimeo YouTube
    • Home
    • Guest Post
    • About Us
    • Privacy Policy
    • Our Authors
    • Terms and Conditions
    • Contact
    © 2022 Tech Biz Web. Developed by Sawah Dev.

    Type above and press Enter to search. Press Esc to cancel.